CVE-2026-25660
Last modified
CVE-2026-25660 is a critical-severity vulnerability rated 9.3/10 on the CVSS scale. CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permission to any user existing in CodeChecker. This issue affects CodeChecker: through 6.27.3.. EPSS estimates a 0.45% chance of exploitation in the next 30 days.
Description
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permission to any user existing in CodeChecker. This issue affects CodeChecker: through 6.27.3.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Red
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Ericsson | Codechecker | < 6.27.4 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-25660?
How severe is CVE-2026-25660?
How do I fix CVE-2026-25660?
Are you affected by CVE-2026-25660?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST